The TAB – software security

The TAB is OCC’s Technical Advisory Board, made up of representatives from OCC’s project and product groups. The TAB’s role includes reviewing technology developments and their impact on the company’s software development.

Security in the news

Some of the breaches happened years ago and are only just coming to light. For example, Yahoo had two hacks three years ago that have only recently been discovered. Hackers try to protect their hacks for as long as possible, as the data drops in value once the breach is publicised.

It is interesting to note that as ‘internet of things’ technologies proliferate, concerns are rising in new areas, for example, the security of medical devices, such as pacemakers and insulin pumps.

Rise in cases of ransomware

“Ransomware can net crooks a conservative $84,000 a month for an investment of $6,000, a whopping 1,425 per cent profit margin,” Trustwave found last year.

Ransomware is a variation of malware where perpetrators attempt to extort a ransom in exchange for releasing their hold on the infected system. Often the infection is achieved through ‘spear-phishing’ attacks, that is, lures targeted at specific people with access to the system. For example, recent attacks directly targeted the NHS and UK schools.

There are manymore examples. Sadly, people and companies often feel they have little choice but to pay up.

Ransomware usually targets open and insecure sites on the internet – for example, the default configuration of MongoDB (expanding to CouchDB, Hadoop, ElasticSearch) is insecure and has been highly abused by attackers in this way.

Securing websites

SSL certificates are becoming more and more important, regardless of whether the site handles particularly sensitive data – a company’s reputation can be destroyed if malware ends up on its site.

Chrome is now showing sites that are served over http as ‘Not Secure’, while Google gives preferential treatment to sites using https. Sites without a certificate will not benefit from http/2, which can dramatically improve website loading speeds.

Thankfully, it’s now easier than ever to secure your site with a certificate. Free certificates are available from Let’s Encrypt. There are even options to help secure sites (albeit not to the fullest level) without having to deal with installing a certificate, such as those from CloudFlare.

Account security and passwords

The UK government has published password guidance containing tips on implementing a good, modern password policy. It is well worth reading the guidance and passing on the information to customers who may be less aware of the issues.

Of particular interest is the tip that ‘complex’ passwords often offer little extra protection, and can sometimes be detrimental, for example, where the user has to write down their password, or reuse it in multiple systems, in order to remember it. An alternative is to use longer but easier to remember passwords, such as 4 random dictionary words, for example, Red-Cabbage-Clever-Leopard.

The UK government now also advises against forcing password expiry as it can lead to users choosing similar or weaker passwords in order to cope with the fatigue of having to change and remember new passwords regularly.

Instead of these ineffective traditional account security measures, the recommendation is that systems implement technical measures to aid against password attacks:

You can educate your customers on the problems with traditional password policies and the new recommendations, and talk to them about technical measures, including account lockout, protective monitoring and two-factor authentication.